SSL Certificates

jrmunday · ‎09-03-2013

Hi all,

I am currently implementing SSL certificates in my environment and wasn't clear on one of the initial steps configuring openssl.cfg - http://kb.vmware.com/kb/2015387.

The instructions are clear, but I have the following questions;

Should I use the actual host name or the DNS name (ie. hostname.domain.com or dnsalias.domain.com) - what are the implications?
What needs to change in this line "organizationalUnitName = vCenterInventoryService"

This is the reference configuration;

Note: Replace the highlighted code with details of the server that you are configuring.

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vc50, DNS:10.0.0.10, DNS:vc50.vmware.com

[ req_distinguished_name ]
countryName = US
stateOrProvinceName = NY
localityName = New York
0.organizationName = VMWare
organizationalUnitName = vCenterInventoryService
commonName = vc50.vmware.com

Thanks,

Jon

vExpert 2014 - 2022 | VCP6-DCV | http://www.jonmunday.net | @JonMunday77

nirvy · ‎09-04-2013

Hi Jon

Regarding #1, if a vCenter component connects to the Inventory Service using hostname.domain.com, but you only setup dnsalias.domain.com in the commonName / subjectAltNames of the certificate, then hostname.domain.com will not match any identity within the certificate and the connection will not be considered 'verified'. So either:

1) Use the hostname that was confirmed when you installed IS (One of the steps was to confirm the local system name - it should have been an FQDN).

2) Add hostname.domain.com to commonName and subjectAltName, but also add dnsalias.domain.com to subjectAltName so that you are covered for all possibilities.

Regarding #2, this line is not relevant to processing the cert and is informational only. It can stay as is, or other examples that you could use for OU might be: IT, IT Operations, MIS, etc.

Cheers

Mark

jrmunday · ‎09-04-2013

Hi Mark,

Thanks for the feedback. I will do some more testing and post an update.

Do you happen to know which version of OpenSSL is the correct one as the KB article first states to use a specific version and then says a later one can be used;

First;

Important: Ensure that you are using OpenSSL version 0.9.8. If you do not use this version, the SSL implementation will fail.

And then, step 2 ...

Download the Shining Light Productions installer for OpenSSL x86 version 0.98r or later

Cheers,

Jon

vExpert 2014 - 2022 | VCP6-DCV | http://www.jonmunday.net | @JonMunday77

nirvy · ‎09-04-2013

I had success with OpenSSL 0.9.8y from http://slproweb.com/products/Win32OpenSSL.html

Mark

VC51 · ‎09-04-2013

Here is a great resource and full of information http://www.derekseaman.com/2012/09/vmware-vcenter-51-installation-part-2.html

It helped me a great deal, trust me take a read...

nirvy · ‎09-05-2013

Interesting - that blog post implies that the OU must be unique for each service and this kb backs it up: http://kb.vmware.com/kb/2037432 :

The OpenSSL configuration when generating requests must:

Have the subject alternative name field included in them

Have unique OrganizationalUnitNames for the components

Include digitalSignature, keyEncipherment, dataEncipherment components for Key Usage

I hadn't realised that -I must have just used the default samples from that kb... The OU field is definately not necessary for cert generation, but apparently is important for SSO registration

jrmunday · ‎09-05-2013

Yes, I noticed that earlier in the week when I was googling around for information. Since I'm still on 5.0 SSO is not a concern and I will try generating the certs today using the version you had success with.

vExpert 2014 - 2022 | VCP6-DCV | http://www.jonmunday.net | @JonMunday77

All

SSL Certificates